Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2023 00:05
Behavioral task
behavioral1
Sample
RuntimeBroker.exe
Resource
win7-20230220-en
General
-
Target
RuntimeBroker.exe
-
Size
63KB
-
MD5
251e7183331025aac57c3965ca6bdb3b
-
SHA1
b7d7e6f953bf378dae8d9f666369d8e60e405e95
-
SHA256
ae799c3696cadbbe3a8d2036f67685e01f385f214f47b0c7d094a15159688e71
-
SHA512
0209d2916ec0a1c67043e04c2c4ce9a3b6401d437791581887fe3ba17f2eefdec35fe2adc79704868a1750977f0b9fb7a29c3fe68d4df9b5a494988757e1b453
-
SSDEEP
768:+uw6LVcsTPq781wC8A+XjGDp4b+tlbBH11+T4pSBGHmDbDG5phQWoXeYQTJKZGSv:PeQPcmlTOYUbch05qKxulkpqKmY7
Malware Config
Extracted
asyncrat
Default
udmansoud-59712.portmap.host:59712
ikU2zF吉诶T8تXω比9ΖNIר
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1764-54-0x0000000000BE0000-0x0000000000BF6000-memory.dmp asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat C:\Users\Admin\AppData\Roaming\svchost.exe asyncrat behavioral1/memory/2040-68-0x0000000000E70000-0x0000000000E86000-memory.dmp asyncrat behavioral1/memory/2040-86-0x00000000005F0000-0x0000000000624000-memory.dmp asyncrat -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2040 svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1112 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
RuntimeBroker.exepid process 1764 RuntimeBroker.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RuntimeBroker.exesvchost.exedescription pid process Token: SeDebugPrivilege 1764 RuntimeBroker.exe Token: SeDebugPrivilege 2040 svchost.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
RuntimeBroker.execmd.execmd.exedescription pid process target process PID 1764 wrote to memory of 1372 1764 RuntimeBroker.exe cmd.exe PID 1764 wrote to memory of 1372 1764 RuntimeBroker.exe cmd.exe PID 1764 wrote to memory of 1372 1764 RuntimeBroker.exe cmd.exe PID 1764 wrote to memory of 1472 1764 RuntimeBroker.exe cmd.exe PID 1764 wrote to memory of 1472 1764 RuntimeBroker.exe cmd.exe PID 1764 wrote to memory of 1472 1764 RuntimeBroker.exe cmd.exe PID 1472 wrote to memory of 1112 1472 cmd.exe timeout.exe PID 1472 wrote to memory of 1112 1472 cmd.exe timeout.exe PID 1472 wrote to memory of 1112 1472 cmd.exe timeout.exe PID 1372 wrote to memory of 1172 1372 cmd.exe schtasks.exe PID 1372 wrote to memory of 1172 1372 cmd.exe schtasks.exe PID 1372 wrote to memory of 1172 1372 cmd.exe schtasks.exe PID 1472 wrote to memory of 2040 1472 cmd.exe svchost.exe PID 1472 wrote to memory of 2040 1472 cmd.exe svchost.exe PID 1472 wrote to memory of 2040 1472 cmd.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBA5.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\Local\Temp\Tar5CE7.tmpFilesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Local\Temp\tmpBA5.tmp.batFilesize
150B
MD5ddcf2f67b40c79fd46d768e4aff7b58b
SHA115935b22a3ed5021c5e98b7ee9c6dde964946a17
SHA2562d0cdc0239ca29642b3d76f9a3289969005b039df395c1ba739814e0e1db7e26
SHA512698f435ce54f9ba0c4897bd1c54a13068906752342f45d1e6c557ee2a34676739cafb60db26042872f03e6b47e0a8bd4c6283699df94a2fd7c24b95603556e6b
-
C:\Users\Admin\AppData\Local\Temp\tmpBA5.tmp.batFilesize
150B
MD5ddcf2f67b40c79fd46d768e4aff7b58b
SHA115935b22a3ed5021c5e98b7ee9c6dde964946a17
SHA2562d0cdc0239ca29642b3d76f9a3289969005b039df395c1ba739814e0e1db7e26
SHA512698f435ce54f9ba0c4897bd1c54a13068906752342f45d1e6c557ee2a34676739cafb60db26042872f03e6b47e0a8bd4c6283699df94a2fd7c24b95603556e6b
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
63KB
MD5251e7183331025aac57c3965ca6bdb3b
SHA1b7d7e6f953bf378dae8d9f666369d8e60e405e95
SHA256ae799c3696cadbbe3a8d2036f67685e01f385f214f47b0c7d094a15159688e71
SHA5120209d2916ec0a1c67043e04c2c4ce9a3b6401d437791581887fe3ba17f2eefdec35fe2adc79704868a1750977f0b9fb7a29c3fe68d4df9b5a494988757e1b453
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
63KB
MD5251e7183331025aac57c3965ca6bdb3b
SHA1b7d7e6f953bf378dae8d9f666369d8e60e405e95
SHA256ae799c3696cadbbe3a8d2036f67685e01f385f214f47b0c7d094a15159688e71
SHA5120209d2916ec0a1c67043e04c2c4ce9a3b6401d437791581887fe3ba17f2eefdec35fe2adc79704868a1750977f0b9fb7a29c3fe68d4df9b5a494988757e1b453
-
memory/1764-54-0x0000000000BE0000-0x0000000000BF6000-memory.dmpFilesize
88KB
-
memory/1764-55-0x000000001B0A0000-0x000000001B120000-memory.dmpFilesize
512KB
-
memory/2040-68-0x0000000000E70000-0x0000000000E86000-memory.dmpFilesize
88KB
-
memory/2040-86-0x00000000005F0000-0x0000000000624000-memory.dmpFilesize
208KB